-
-
Notifications
You must be signed in to change notification settings - Fork 481
/
config.yaml
467 lines (465 loc) · 16.9 KB
/
config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
github_access_tokens:
- ''
webhook: '' # URL to which the payload is POSTed
# This default payload will work for Slack and MatterMost.
# Consult your webhook API for additional configurations.
webhook_payload: |
{
"text": "%s"
}
blacklisted_strings: ["AKIAIOSFODNN7EXAMPLE", "username:password", "sshpass -p $SSH_PASS"] # skip matches containing any of these strings (case insensitive
blacklisted_extensions: [".exe", ".jpg", ".jpeg", ".png", ".gif", ".bmp", ".tiff", ".tif", ".psd", ".xcf", ".zip", ".tar.gz", ".ttf", ".lock"]
blacklisted_paths: ["node_modules{sep}", "vendor{sep}bundle", "vendor{sep}cache"] # use {sep} for the OS' path seperator (i.e. / or \)
blacklisted_entropy_extensions: [".pem", "id_rsa", ".asc", ".ovpn", ".sqlite", ".sqlite3", ".log"] # additional extensions to skip entropy checks
signatures:
- part: 'extension'
match: '.pem'
name: 'Potential cryptographic private key'
- part: 'extension'
match: '.log'
name: 'Log file'
- part: 'extension'
match: '.pkcs12'
name: 'Potential cryptographic key bundle'
- part: 'extension'
match: '.p12'
name: 'Potential cryptographic key bundle'
- part: 'extension'
match: '.pfx'
name: 'Potential cryptographic key bundle'
- part: 'extension'
match: '.asc'
name: 'Potential cryptographic key bundle'
- part: 'filename'
match: 'otr.private_key'
name: 'Pidgin OTR private key'
- part: 'extension'
match: '.ovpn'
name: 'OpenVPN client configuration file'
- part: 'extension'
match: '.cscfg'
name: 'Azure service configuration schema file'
- part: 'extension'
match: '.rdp'
name: 'Remote Desktop connection file'
- part: 'extension'
match: '.mdf'
name: 'Microsoft SQL database file'
- part: 'extension'
match: '.sdf'
name: 'Microsoft SQL server compact database file'
- part: 'extension'
match: '.sqlite'
name: 'SQLite database file'
- part: 'extension'
match: '.sqlite3'
name: 'SQLite3 database file'
- part: 'extension'
match: '.bek'
name: 'Microsoft BitLocker recovery key file'
- part: 'extension'
match: '.tpm'
name: 'Microsoft BitLocker Trusted Platform Module password file'
- part: 'extension'
match: '.fve'
name: 'Windows BitLocker full volume encrypted data file'
- part: 'extension'
match: '.jks'
name: 'Java keystore file'
- part: 'extension'
match: '.psafe3'
name: 'Password Safe database file'
- part: 'filename'
match: 'secret_token.rb'
name: 'Ruby On Rails secret token configuration file'
- part: 'filename'
match: 'carrierwave.rb'
name: 'Carrierwave configuration file'
- part: 'filename'
match: 'database.yml'
name: 'Potential Ruby On Rails database configuration file'
- part: 'filename'
match: 'omniauth.rb'
name: 'OmniAuth configuration file'
- part: 'filename'
match: 'settings.py'
name: 'Django configuration file'
- part: 'extension'
match: '.agilekeychain'
name: '1Password password manager database file'
- part: 'extension'
match: '.keychain'
name: 'Apple Keychain database file'
- part: 'extension'
match: '.pcap'
name: 'Network traffic capture file'
- part: 'extension'
match: '.gnucash'
name: 'GnuCash database file'
- part: 'filename'
match: 'jenkins.plugins.publish_over_ssh.BapSshPublisherPlugin.xml'
name: 'Jenkins publish over SSH plugin file'
- part: 'filename'
match: 'credentials.xml'
name: 'Potential Jenkins credentials file'
- part: 'extension'
match: '.kwallet'
name: 'KDE Wallet Manager database file'
- part: 'filename'
match: 'LocalSettings.php'
name: 'Potential MediaWiki configuration file'
- part: 'extension'
match: '.tblk'
name: 'Tunnelblick VPN configuration file'
- part: 'filename'
match: 'Favorites.plist'
name: 'Sequel Pro MySQL database manager bookmark file'
- part: 'filename'
match: 'configuration.user.xpl'
name: 'Little Snitch firewall configuration file'
- part: 'extension'
match: '.dayone'
name: 'Day One journal file'
- part: 'filename'
match: 'journal.txt'
name: 'Potential jrnl journal file'
- part: 'filename'
match: 'knife.rb'
name: 'Chef Knife configuration file'
- part: 'filename'
match: 'proftpdpasswd'
name: 'cPanel backup ProFTPd credentials file'
- part: 'filename'
match: 'robomongo.json'
name: 'Robomongo MongoDB manager configuration file'
- part: 'filename'
match: 'filezilla.xml'
name: 'FileZilla FTP configuration file'
- part: 'filename'
match: 'recentservers.xml'
name: 'FileZilla FTP recent servers file'
- part: 'filename'
match: 'ventrilo_srv.ini'
name: 'Ventrilo server configuration file'
- part: 'filename'
match: 'terraform.tfvars'
name: 'Terraform variable config file'
- part: 'filename'
match: '.exports'
name: 'Shell configuration file'
- part: 'filename'
match: '.functions'
name: 'Shell configuration file'
- part: 'filename'
match: '.extra'
name: 'Shell configuration file'
- part: 'filename'
regex: '^.*_rsa$'
name: 'Private SSH key'
- part: 'filename'
regex: '^.*_dsa$'
name: 'Private SSH key'
- part: 'filename'
regex: '^.*_ed25519$'
name: 'Private SSH key'
- part: 'filename'
regex: '^.*_ecdsa$'
name: 'Private SSH key'
- part: 'path'
regex: '\.?ssh/config$'
name: 'SSH configuration file'
- part: 'extension'
regex: '^key(pair)?$'
name: 'Potential cryptographic private key'
- part: 'filename'
regex: '^\.?(bash_|zsh_|sh_|z)?history$'
name: 'Shell command history file'
- part: 'filename'
regex: '^\.?mysql_history$'
name: 'MySQL client command history file'
- part: 'filename'
regex: '^\.?psql_history$'
name: 'PostgreSQL client command history file'
- part: 'filename'
regex: '^\.?pgpass$'
name: 'PostgreSQL password file'
- part: 'filename'
regex: '^\.?irb_history$'
name: 'Ruby IRB console history file'
- part: 'path'
regex: '\.?purple/accounts\.xml$'
name: 'Pidgin chat client account configuration file'
- part: 'path'
regex: '\.?xchat2?/servlist_?\.conf$'
name: 'Hexchat/XChat IRC client server list configuration file'
- part: 'path'
regex: '\.?irssi/config$'
name: 'Irssi IRC client configuration file'
- part: 'path'
regex: '\.?recon-ng/keys\.db$'
name: 'Recon-ng web reconnaissance framework API key database'
- part: 'filename'
regex: '^\.?dbeaver-data-sources.xml$'
name: 'DBeaver SQL database manager configuration file'
- part: 'filename'
regex: '^\.?muttrc$'
name: 'Mutt e-mail client configuration file'
- part: 'filename'
regex: '^\.?s3cfg$'
name: 'S3cmd configuration file'
- part: 'path'
regex: '\.?aws/credentials$'
name: 'AWS CLI credentials file'
- part: 'filename'
regex: '^sftp-config(\.json)?$'
name: 'SFTP connection configuration file'
- part: 'filename'
regex: '^\.?trc$'
name: 'T command-line Twitter client configuration file'
- part: 'filename'
regex: '^\.?(bash|zsh|csh)rc$'
name: 'Shell configuration file'
- part: 'filename'
regex: '^\.?(bash_|zsh_)?profile$'
name: 'Shell profile configuration file'
- part: 'filename'
regex: '^\.?(bash_|zsh_)?aliases$'
name: 'Shell command alias configuration file'
- part: 'filename'
regex: 'config(\.inc)?\.php$'
name: 'PHP configuration file'
- part: 'extension'
regex: '^key(store|ring)$'
name: 'GNOME Keyring database file'
- part: 'extension'
regex: '^kdbx?$'
name: 'KeePass password manager database file'
- part: 'extension'
regex: '^sql(dump)?$'
name: 'SQL dump file'
- part: 'filename'
regex: '^\.?htpasswd$'
name: 'Apache htpasswd file'
- part: 'filename'
regex: '^(\.|_)?netrc$'
name: 'Configuration file for auto-login process'
- part: 'path'
regex: '\.?gem/credentials$'
name: 'Rubygems credentials file'
- part: 'filename'
regex: '^\.?tugboat$'
name: 'Tugboat DigitalOcean management tool configuration'
- part: 'path'
regex: 'doctl/config.yaml$'
name: 'DigitalOcean doctl command-line client configuration file'
- part: 'filename'
regex: '^\.?git-credentials$'
name: 'git-credential-store helper credentials file'
- part: 'path'
regex: 'config/hub$'
name: 'GitHub Hub command-line client configuration file'
- part: 'filename'
regex: '^\.?gitconfig$'
name: 'Git configuration file'
- part: 'path'
regex: '\.?chef/(.*)\.pem$'
name: 'Chef private key'
- part: 'path'
regex: 'etc/shadow$'
name: 'Potential Linux shadow file'
- part: 'path'
regex: 'etc/passwd$'
name: 'Potential Linux passwd file'
comment: 'Contains system user information'
- part: 'filename'
regex: '^\.?dockercfg$'
name: 'Docker configuration file'
- part: 'filename'
regex: '^\.?npmrc$'
name: 'NPM configuration file'
- part: 'filename'
regex: '^\.?env$'
name: 'Environment configuration file'
- part: 'contents'
regex: '(A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'
name: 'AWS Access Key ID Value'
- part: 'contents'
regex: "((\\\"|'|`)?((?i)aws)?_?((?i)access)_?((?i)key)?_?((?i)id)?(\\\"|'|`)?\\\\s{0,50}(:|=>|=)\\\\s{0,50}(\\\"|'|`)?(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}(\\\"|'|`)?)"
name: 'AWS Access Key ID'
- part: 'contents'
regex: "((\\\"|'|`)?((?i)aws)?_?((?i)account)_?((?i)id)?(\\\"|'|`)?\\\\s{0,50}(:|=>|=)\\\\s{0,50}(\\\"|'|`)?[0-9]{4}-?[0-9]{4}-?[0-9]{4}(\\\"|'|`)?)"
name: 'AWS Account ID'
- part: 'contents'
regex: "((\\\"|'|`)?((?i)aws)?_?((?i)secret)_?((?i)access)?_?((?i)key)?_?((?i)id)?(\\\"|'|`)?\\\\s{0,50}(:|=>|=)\\\\s{0,50}(\\\"|'|`)?[A-Za-z0-9/+=]{40}(\\\"|'|`)?)"
name: 'AWS Secret Access Key'
- part: 'contents'
regex: "((\\\"|'|`)?((?i)aws)?_?((?i)session)?_?((?i)token)?(\\\"|'|`)?\\\\s{0,50}(:|=>|=)\\\\s{0,50}(\\\"|'|`)?[A-Za-z0-9/+=]{16,}(\\\"|'|`)?)"
name: 'AWS Session Token'
- part: 'contents'
regex: "(?i)artifactory.{0,50}(\\\"|'|`)?[a-zA-Z0-9=]{112}(\\\"|'|`)?"
name: 'Artifactory'
- part: 'contents'
regex: "(?i)codeclima.{0,50}(\\\"|'|`)?[0-9a-f]{64}(\\\"|'|`)?"
name: 'CodeClimate'
- part: 'contents'
regex: 'EAACEdEose0cBA[0-9A-Za-z]+'
name: 'Facebook access token'
- part: 'contents'
regex: "((\\\"|'|`)?type(\\\"|'|`)?\\\\s{0,50}(:|=>|=)\\\\s{0,50}(\\\"|'|`)?service_account(\\\"|'|`)?,?)"
name: 'Google (GCM) Service account'
- part: 'contents'
regex: '(?:r|s)k_[live|test]_[0-9a-zA-Z]{24}'
name: 'Stripe API key'
- part: 'contents'
regex: '[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com'
name: 'Google OAuth Key'
- part: 'contents'
regex: 'AIza[0-9A-Za-z\\-_]{35}'
name: 'Google Cloud API Key'
- part: 'contents'
regex: 'ya29\\.[0-9A-Za-z\\-_]+'
name: 'Google OAuth Access Token'
- part: 'contents'
regex: 'sk_[live|test]_[0-9a-z]{32}'
name: 'Picatic API key'
- part: 'contents'
regex: 'sq0atp-[0-9A-Za-z\-_]{22}'
name: 'Square Access Token'
- part: 'contents'
regex: 'sq0csp-[0-9A-Za-z\-_]{43}'
name: 'Square OAuth Secret'
- part: 'contents'
regex: 'access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}'
name: 'PayPal/Braintree Access Token'
- part: 'contents'
regex: 'amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'
name: 'Amazon MWS Auth Token'
- part: 'contents'
regex: 'SK[0-9a-fA-F]{32}'
name: 'Twilo API Key'
- part: 'contents'
regex: 'SG\.[0-9A-Za-z\-_]{22}\.[0-9A-Za-z\-_]{43}'
name: 'SendGrid API Key'
- part: 'contents'
regex: 'key-[0-9a-zA-Z]{32}'
name: 'MailGun API Key'
- part: 'contents'
regex: '[0-9a-f]{32}-us[0-9]{12}'
name: 'MailChimp API Key'
- part: 'contents'
regex: "sshpass -p.*['|\\\"]"
name: 'SSH Password'
- part: 'contents'
regex: '(https\\://outlook\\.office.com/webhook/[0-9a-f-]{36}\\@)'
name: 'Outlook team'
- part: 'contents'
regex: "(?i)sauce.{0,50}(\\\"|'|`)?[0-9a-f-]{36}(\\\"|'|`)?"
name: 'Sauce Token'
- part: 'contents'
regex: '(xox[pboa]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})'
name: 'Slack Token'
- part: 'contents'
regex: 'https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}'
name: 'Slack Webhook'
- part: 'contents'
regex: "(?i)sonar.{0,50}(\\\"|'|`)?[0-9a-f]{40}(\\\"|'|`)?"
name: 'SonarQube Docs API Key'
- part: 'contents'
regex: "(?i)hockey.{0,50}(\\\"|'|`)?[0-9a-f]{32}(\\\"|'|`)?"
name: 'HockeyApp'
- part: 'contents'
regex: '([\w+]{1,24})(://)([^$<]{1})([^\s";]{1,}):([^$<]{1})([^\s";/]{1,})@[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,24}([^\s]+)'
name: 'Username and password in URI'
- part: 'contents'
regex: 'oy2[a-z0-9]{43}'
name: 'NuGet API Key'
- part: 'contents'
regex: 'hawk\.[0-9A-Za-z\-_]{20}\.[0-9A-Za-z\-_]{20}'
name: 'StackHawk API Key'
- part: 'extension'
match: '.ppk'
name: 'Potential PuTTYgen private key'
- part: 'filename'
match: 'heroku.json'
name: 'Heroku config file'
- part: 'extension'
match: '.sqldump'
name: 'SQL Data dump file'
- part: 'filename'
match: 'dump.sql'
name: 'MySQL dump w/ bcrypt hashes'
- part: 'filename'
match: 'id_rsa_pub'
name: 'Public ssh key'
- part: 'filename'
match: 'mongoid.yml'
name: 'Mongoid config file'
- part: 'filename'
match: 'salesforce.js'
name: 'Salesforce credentials in a nodejs project'
- part: 'extension'
match: '.netrc'
name: 'netrc with SMTP credentials'
- part: 'filename'
regex: '.remote-sync.json$'
name: 'Created by remote-sync for Atom, contains FTP and/or SCP/SFTP/SSH server details and credentials'
- part: 'filename'
regex: '.esmtprc$'
name: 'esmtp configuration'
- part: 'filename'
regex: '^deployment-config.json?$'
name: 'Created by sftp-deployment for Atom, contains server details and credentials'
- part: 'filename'
regex: '.ftpconfig$'
name: 'Created by sftp-deployment for Atom, contains server details and credentials'
- part: 'contents'
regex: '-----BEGIN (EC|RSA|DSA|OPENSSH|PGP) PRIVATE KEY'
name: 'Contains a private key'
- part: 'contents'
regex: 'define(.{0,20})?(DB_CHARSET|NONCE_SALT|LOGGED_IN_SALT|AUTH_SALT|NONCE_KEY|DB_HOST|DB_PASSWORD|AUTH_KEY|SECURE_AUTH_KEY|LOGGED_IN_KEY|DB_NAME|DB_USER)(.{0,20})?[''|"].{10,120}[''|"]'
name: 'WP-Config'
- part: 'contents'
regex: '(?i)(aws_access_key_id|aws_secret_access_key)(.{0,20})?=.[0-9a-zA-Z\/+]{20,40}'
name: 'AWS cred file info'
- part: 'contents'
regex: '(?i)(facebook|fb)(.{0,20})?(?-i)[''\"][0-9a-f]{32}[''\"]'
name: 'Facebook Secret Key'
- part: 'contents'
regex: '(?i)(facebook|fb)(.{0,20})?[''\"][0-9]{13,17}[''\"]'
name: 'Facebook Client ID'
- part: 'contents'
regex: '(?i)twitter(.{0,20})?[''\"][0-9a-z]{35,44}[''\"]'
name: 'Twitter Secret Key'
- part: 'contents'
regex: '(?i)twitter(.{0,20})?[''\"][0-9a-z]{18,25}[''\"]'
name: 'Twitter Client ID'
- part: 'contents'
regex: '(?i)github(.{0,20})?(?-i)[''\"][0-9a-zA-Z]{35,40}[''\"]'
name: 'Github Key'
- part: 'contents'
regex: '(?i)heroku(.{0,20})?[''"][0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}[''"]'
name: 'Heroku API key'
- part: 'contents'
regex: '(?i)linkedin(.{0,20})?(?-i)[''\"][0-9a-z]{12}[''\"]'
name: 'Linkedin Client ID'
- part: 'contents'
regex: '(?i)linkedin(.{0,20})?[''\"][0-9a-z]{16}[''\"]'
name: 'LinkedIn Secret Key'
- part: 'path'
regex: '\.?idea[\\\/]WebServers.xml$'
name: 'Created by Jetbrains IDEs, contains webserver credentials with encoded passwords (not encrypted!)'
- part: 'path'
regex: '\.?vscode[\\\/]sftp.json$'
name: 'Created by vscode-sftp for VSCode, contains SFTP/SSH server details and credentials'
- part: 'path'
regex: 'web[\\\/]ruby[\\\/]secrets.yml'
name: 'Ruby on rails secrets.yml file (contains passwords)'
- part: 'path'
regex: '\.?docker[\\\/]config.json$'
name: 'Docker registry authentication file'
- part: 'path'
regex: 'ruby[\\\/]config[\\\/]master.key$'
name: 'Rails master key (used for decrypting credentials.yml.enc for Rails 5.2+)'
- part: 'path'
regex: '\.?mozilla[\\\/]firefox[\\\/]logins.json$'
name: 'Firefox saved password collection (can be decrypted using keys4.db)'